Start Free Trial
Book Your Demo

    Axonius Data Processing Addendum

    Updated April 8, 2021

    How to Enter into the DPA

    If you are ready to enter into this Axonius Data Processing Addendum and you meet the criteria specified in the below paragraph, please send an email to privacy@axonius.com notifying us of your wish.

    This Data Processing Addendum (“DPA”) is entered into between Axonius, Inc. and its Affiliates (collectively, “Axonius”) and the entity that entered into a sales order with Axonius, including such entity’s participating Affiliates, if any (collectively, “Customer”) (jointly, “the Parties”), pursuant to, and in accordance with, Section 8.4 of Axonius’ terms and conditions (available at: https://www.axonius.com/terms-conditions/) or License Agreement between the Parties (as applicable, the “Contract”), and reflects the Parties’ agreement with respect to the Processing of Personal Data in accordance with the requirements of the Data Protection Laws (as defined below). This DPA is not intended to remove or lessen Customer’s obligations with respect to Personal Data under the Contract.

    Agreement

    1.  Definitions

    1.1.  “Affiliate” of an entity means any other entity that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such entity. The term “control” (including the terms “controlled by” and “under common control with”) means the direct or indirect ownership of more than 50% of the voting securities, or the power in fact to direct or cause the direction of the management, of an entity.

    1.2.  “Authorized Persons” means Axonius’ employees, officers, partners, principals, contractors, subcontractors, sub-processors, or other agents who Process Personal Data.

    1.3.  “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Data transmitted, stored or otherwise Processed.

    1.4.  “Data Protection Laws” means all applicable laws which govern the Processing of Personal Data hereunder, and include the laws of the European Union (“EU”) Data Protection Act 1998, the EU General Data Protection Regulation (“GDPR”), and the California Consumer Protection Act of 2018 (“CCPA”), as amended or replaced from time to time.

    1.5.  “Personal Data” means any personal data, as defined in the applicable Data Protection Laws, which is provided by or on behalf of Customer, and Processed by Axonius pursuant to the Contract, which is described in Section 5 of this DPA.

    1.6.  “Regulator” means the data protection Supervisory Authority which has jurisdiction over the Processing of Personal Data.

    1.7.  “Services” means the services and/or products that are ordered by the Customer from Axonius under the Contract.

    1.8.  “Subprocessor” means any data Processor engaged by Axonius or its Affiliate.

    1.9.  The terms such as “Data Subject”, “Controller”, “Processor”, “Processing” and “Supervisory Authority” shall have the meaning ascribed to them in the applicable Data Protection Laws.

    2.  Contract

    2.1. This DPA supplements the Contract and in the event of any conflict between the terms of this DPA and the terms of the Contract, the terms of this DPA shall prevail with respect to the subject matter hereof.

    3.  Data Protection Laws and Regulations

    3.1.  Roles of the Parties.   The Parties acknowledge and agree that Axonius will Process the Personal Data in the capacity of a Processor, and that Customer will be the Controller of the Personal Data.

    3.2.  DPO.   To the extent required by Data Protection Laws, the Parties will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party.

    4.  Obligations of the Controller

    4.1.   Compliance and Instructions. Customer agrees that it will comply with its obligations as a Controller under the Data Protection Laws and that it will be solely responsible for such compliance, including without limitation the lawfulness of any instructions to Axonius or transfer of Personal Data to Axonius and Customer’s Processing of Personal Data.

    4.2.  Responsibility for Personal Data. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired and retained Personal Data. Customer agrees that it shall not provide to Axonius (or otherwise allow Axonius to access) data which is defined as special categories of Personal Data under Article 9(1) of the GDPR.

    4.3.  Data Subject and Supervisory Authority Requests. Customer shall be responsible for communications in relation to all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws.

    4.4.  Representations. Customer represents, warrants, and covenants that (a) the Personal Data has been collected and transferred to Axonius in accordance with the Data Protection Laws; (b) prior to its transfer to Axonius, the Personal Data has been maintained, retained, secured and protected in accordance with the Data Protection Laws; (c) Customer will respond to inquiries from Data Subjects and from applicable Regulators concerning the Processing of the Personal Data, and will alert Axonius of any inquiries from Data Subjects or from applicable Regulators that relate to Axonius’ Processing of the Personal Data; (d) prior to the collection of Personal Data, Customer has obtained all necessary consents from a Data Subject for Axonius’ Processing of Personal Data in accordance with this DPA; (e) Customer will make available a copy of this DPA to any Data Subject or Regulator as required by the Data Protection Laws; (f) Customer shall be solely responsible and liable for its compliance with the Data Protection Laws; and (g) Customer will only transfer and provide Axonius with such Personal Data required to perform the Services.

    5.  Details of Processing Activities

    5.1.  Subject Matter of Processing: Axonius’ provision of the Services to Customer under the Contract.

    5.2.  Duration of the Processing: The term of the Contract plus the period from the expiry of such term until return or deletion of all Personal Data by Axonius.

    5.3.  Nature and Purpose of the Processing: Axonius will Process Personal Data provided by Customer for the purposes of providing the Services to Customer in accordance with the terms of the Contract.

    5.4.  Data Subjects: Data subjects include the individuals about whom data is provided to Axonius via the Services by (or at the direction of) Customer. These may include Customer employees, contractors, directors, staff, partners, and end users.

    5.5.  Categories of Data: Data relating to individuals provided to Axonius via the Services, by (or at the direction of) Customer. The Customer may submit Personal Data to Axonius, and may request for end users to submit Personal Data to Axonius the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, without limitation: name, title, geographic location, contact details, IP address, gender, and other personal details of Data Subjects.

    6.  Obligations of the Processor

    6.1.  Scope of Processing. Axonius will Process the Personal Data on documented instructions from Customer, and in such manner as is necessary for the provision of Services under the Contract, except as required to comply with a legal obligation to which Axonius is subject. Axonius warrants that it has no reason to believe that Data Protection Laws prevent it from fulfilling the obligations under this DPA. Axonius shall promptly inform Customer if, in its opinion, the execution of an instruction could violate any Data Protection Laws.

    6.2.  Cooperation. Axonius shall provide commercially reasonable cooperation and assistance to Customer in: (a) fulfilling its legal obligations; (b) formulating a correct response; and (c) taking suitable further steps in respect to any Security Incident, Data Subject request, or Regulator request.

    6.3.  Data Subject & Regulator Requests. If Axonius receives a request from a Data Subject made under Data Protection Laws relating to Personal Data, Axonius will provide a copy of that request to the Customer and provide the necessary assistance to the Customer to enable it in responding to the request. Axonius shall reasonably assist the Customer in addressing communications and abiding by advice or orders from the Regulator relating to the Personal Data within the timeframe specified by the Regulator.

    6.4.  Disclosure to Third Parties. Axonius will not disclose the Personal Data to third parties except as permitted by this DPA or the Contract, unless Axonius is required to disclose the Personal Data by applicable laws, in which case, except as restricted by law, Axonius shall notify Customer in writing before complying with such disclosure request.

    6.5.  Retention. Axonius will keep Personal Data storage to a minimum and will implement data retention and disposal policies to limit data storage to that which is necessary, in accordance with applicable laws. Upon Customer’s written request, Axonius will either destroy, or return the Personal Data to Customer unless legal obligations require storage of Personal Data or as otherwise agreed upon in the Contract or another agreement.

    6.6.  Confidentiality. Axonius shall take commercially reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data. Axonius shall ensure Authorized Persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Customer’s own written binding policies that are at least as restrictive as this DPA).

    6.7.  Data Security. Axonius shall implement the technical and organizational security measures which shall include, as appropriate for the risk, the following: pseudonymization and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services, and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. A description of Axonius’ security measures is attached at Exhibit A. Axonius shall be permitted to implement alternative adequate measures and any substantial changes shall be documented. Axonius shall implement a procedure for the regular testing, inspection, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the Processing and, upon Customer’s written request, notify Customer of any findings.

    6.8.  GDPR Articles 32-36. Axonius will provide commercially reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36 (which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation). Upon written request, Axonius shall provide the Customer with the information required for the preparation of the record of Processing operations.

    6.9.  DPIA. Axonius shall provide Customer with commercially reasonable information for Customer to comply with any obligation to carry out a data protection impact assessment or consult with Regulator pursuant to Articles 35 and 36 of the GDPR.

    6.10.  CCPA. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies, Axonius will not “sell” (as defined in the CCPA) any such Personal Data.

    7.  Audit

    7.1.  Scope. Axonius will maintain records of its Processing activities as required by the Data Protection Laws and will make available to Customer information necessary to demonstrate its compliance with the obligations set out in this DPA upon reasonable written request. Customer’s inspection rights under this DPA do not extend to Axonius’ employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties.

    7.2.  Process. Subject to reasonable written notice from Customer and at the Customer's additional expense, Axonius may permit audits conducted by a third-party auditor acting on Customer’s behalf to enable Customer to verify that Axonius is in compliance with the obligations under this DPA. Audits and inspections will be carried out at mutually agreed times during regular business hours, not to exceed once per calendar year.

    7.3.  Confidentiality. All information obtained during any such request for information or audit will be considered Axonius’ confidential information under the Contract and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Axonius’ confidential information. The third-party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.  

    8.  Contracting with Subprocessors

    8.1.  Customer hereby consents to Axonius’ engagement of Subprocessors in connection with the processing of the Personal Data. A list of Axonius’ current Subprocessors (“Subprocessor List”) is located at https://www.axonius.com/subprocessor-list. Customer may reasonably object to any new Subprocessor within 15 days of receiving notice (which notice might be in the form of an update to the Subprocessor List on Axonius’ website), in which case the Parties will work together in good faith to resolve the grounds for the objection, including cases where Axonius may use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially-reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to new Sub-processor. If the Parties are unable to resolve the objection within a reasonable time period (not to exceed sixty (60) days), Customer may terminate those Services which cannot be provided by Axonius without the use of the objected-to new Subprocessor, by providing written notice to Axonius. Axonius will enter into written agreements with each Subprocessor containing reasonable provisions relating to the implementation of technical and organizational measures in compliance with the GDPR. In relation to Customer, Axonius will remain liable for acts and omissions of its Subprocessors in connection with the provision of the Services.

    9.  Transfers Outside of the European Economic Area

    9.1.  Customer acknowledges that Axonius may, without Customer’s prior written consent, transfer the Personal Data to a foreign jurisdiction provided such transfer is either (i) to a country or territory which has been formally recognized by the European Commission as affording the Personal Data an adequate level of protection, or (ii) otherwise safeguarded by mechanisms, such as Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries, dated 5 February 2010 (2010/87/EU) (“SCC”) and other certification instruments, recognized and approved by the European Commission from time to time.

    9.2.  The Parties agree that the SCC shall apply in relation to any transfers of Personal Data, that occur either directly from the European Economic Area (“EEA”) or outside the EEA via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data. Section 5 of this DPA shall serve as Appendix 1 of the SCC, and Exhibit A of this DPA shall serve as Appendix 2 of the SCC.

    9.3.  If after the effective date of this DPA, the European Commission issues new SCCs for Controller to Processor contracts, the parties agree, as evidenced by their signatures on this Addendum, that such new SCCs will apply to any Personal Data. Such action will not invalidate or render this DPA or the Contract unenforceable.

    9.4.  To the extent the European Commission finds the reliance on the SCC as not valid transfer mechanism for transfers of Personal Data, either directly or via onward transfer to a party located in the United States, the parties agree to promptly coordinate and determine a valid transfer mechanism.

    10.  Data Breach

    10.1.  Data Breach. Axonius will notify Customer of any Data Breach of which it becomes aware without undue delay consistent with measures necessary to determine the scope of the breach and to restore the integrity of Axonius’ systems. Axonius will use commercially reasonable efforts to investigate the Data Breach and take any actions that are reasonably necessary to mitigate damage, as required by law and as appropriate under the circumstances.

    10.2.  Notification. Axonius’ notification of a Data Breach, to the extent known, will include: (a) the nature of the Data Breach; (b) the date and time upon which the Data Breach took place and was discovered; (c) the estimated number of Data Subjects affected by the incident; (d) the categories of Personal Data involved; (e) the measures – such as encryption, or other technical or organizational measures – that were taken to address the incident, including measures to mitigate the possible adverse effects; (f) the name and contact details of the data protection officer or other relevant contact; and (g) a brief description of the likely consequences of the Data Breach.

    10.3.  Coordination. Axonius will reasonably assist Customer in fulfilling its obligations to notify Data Subjects and the relevant authorities in relation to a Data Breach, provided that nothing in this section shall prevent either Party from complying with its obligations under Data Protection Laws.

    11.  Liability and Indemnity

    11.1.  Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Contract.

    12.  Severability

    12.1.  Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA. 

     

    Exhibit A – Security Policies, Procedures, Controls

    Axonius maintains a formal cybersecurity program to safeguard the Processing of Personal Data. The program is structured according to the ISO 27001 standard and is certified on a regular basis by independent external auditors for compliance with ISO 27001 or an equivalent cybersecurity management framework. The program enables Axonius to establish comprehensive and risk-informed security measures that span the following areas and address the confidentiality and integrity of Personal Data:

    1. Physical Security: Axonius maintains appropriate physical security measures to protect tangible items, such as physical computer systems and devices, that Process Personal Data. 

    2. Logical Access Controls: Axonius restricts access to Personal Data and related logical infrastructure and applications using formal authentication and authorization measures. Whenever practical, Axonius relies on Single Sign-On to validate identities of its personnel when deciding whether to grant access. Axonius deploys firewalls and other relevant security measures to protect its networks from unauthorized access.

    3. Application: Axonius incorporates security requirements and guidance into its Software Development Lifecycle to mitigate the risks associated with inappropriate access or other misuse of Personal Data through the company’s products. Axonius conducts annual security reviews of the products to identify and help address vulnerabilities.

    4. Data: Axonius uses modern encryption techniques to safeguard the transfer of Personal Data across the network. Where appropriate, Axonius also encrypts data at rest.

    5. Personnel: Axonius screens its personnel according to local laws and practices and taking into account business requirements of the role, the classification of the data the person will regularly access, and perceived risks. Axonius informs its personnel about the company’s cybersecurity program and the role they play in it.

    6. Subprocessors: Axonius uses third-party cloud infrastructure and SaaS providers for many aspects of its services. Axonius reviews these Subprocessors’ cybersecurity practices according to our vendor review program to confirm that provide sufficient safeguards to protect Personal Data.